Control system for actuators in an aircraft

ABSTRACT

A control system for calculating control commands for actuators in an aircraft, wherein the control commands are calculated by computers distributed in the craft in dependence on input signals containing parameters that serve as the basis for said commands, wherein a computer (C) is arranged at each respective local actuator (A) and, together with the actuator (A), forms a servo node (S) where the computer (C) receives input signals via data bus (B), whereby the computer (C) in each servo node (S) calculates control commands for the local actuator (A) based on one or more sets of control laws in dependence on received parameters, and wherein the computer (C) calculates, in a corresponding manner, control commands for at least one additional actuator (A) in another servo node (S), and wherein a choice of control commands is used as the control command ( 7 ) for the actuator (A) locally in each servo node (S) in dependence on a comparison between the control commands ( 4 ) calculated locally in the servo node (S) and a control command ( 3 ) calculated for the actuator (A) in at least one other servo node (S) for the actuator (A).

TECHNICAL AREA

The invention concerns a device and a method for creating controlcommands for actuators in an aircraft, whereby the control commands arecalculated in dependence on control parameters obtained from sensors anddistributed to computers, wherein the control commands are calculated inaccordance with control laws that apply to each actuator.

STATE OF THE ART

Systems that require control commands are described below, with such asystem being exemplified by an aircraft. However, this is not alimitation, since the technology is capable of use in all types ofsystems where the same types of problems exist. There are a number ofapplications in which redundant computers are used to achieve highreliability in connection with the calculation of control commands foraircraft. One such application is found in connection with the controlsystem for a modern aircraft, in which a “fly-by-wire” control system isused to replace the mechanical systems formerly used. The controlcommands for such a system are generated by means of, e.g. threeredundant digital and asynchronous primary flight computers (channels);see FIG. 3. These three primary flight computers 10 are centralized toform a unit, the autopilot 11. Each channel has its own set oftransmitters 12. The channels can exchange transmitter data via aninternal digital link in the autopilot. Each of the autopilot channelscalculates one control command for each actuator 13, which are in turnmechanically connected by a control surface. These commands are votedfor in a voter 14 at each actuator in such a way that if one controlcommand is incorrect, the other two channels can together compensate forthe error that has arisen. This method, in which more than one channelcontrols one actuator requires that functions for solving the problem ofso-called “force fight” be built into the autopilot.

Communication between the autopilot and transmitters/actuators occursvia analog or digital point-to-point communication.

A centralized control system of the type described above comprises aphysical unit, the autopilot which, should it become disabled (e.g. as aresult of damage during combat), causes the entire system to stopfunctioning. The fact that all the computing power is concentrated inone processor per channel means that there are no limits on the waysthat any programming error might affect the system. In those cases wheresignaling between the autopilot and the actuators/transmitters occurs byanalog means, the task of integrating the various units is relativelycomplex.

DESCRIPTION OF THE INVENTION

According to one aspect of the invention, it comprises a control systemthat supplies actuators in an aircraft with control commands, whereinthe control commands are calculated in computers distributed in theaircraft and in dependence on input signals obtained from sensors via adata bus and containing parameters that provide the basis forcalculating said commands, and wherein the system is designed so thatone computer is arranged locally at each actuator, whereby the computerand its associated actuator form a servo node with a digital interfaceto the data bus. The computer in a servo node calculates the controlcommands, in accordance with control laws stored in the computer, forthe local actuator in the servo node, plus the control commands for atleast one additional actuator in another servo node. Locally at eachactuator, a choice of control commands for the actuator is used as thecontrol command, which choice depends on a comparison between thecontrol command calculated locally in the servo node and the controlcommand calculated non-locally by a computer in at least one additionalservo node, which is obtained via the data bus.

The actuators can operate in two modes; one mode in which they functionnormally, i.e. assume their commanded positions, and another mode, aso-called “fail-safe” mode which, in the case of an aircraft, entailsthat the actuator permits its control surface to follow the airstream(“free-winging”). In its normal mode, the actuator will operate as longas a pulse is being sent via a special signal. If the pulse disappears,the actuator will switch over to its fail-safe mode.

The servo node computer in each servo node calculates not only thecontrol command for its own actuator, but also the control command forone or more other servo nodes. The non-locally calculated controlcommands are sent via the data bus to the other servo nodes in thecontrol system. Each servo node thus receives a number ofexternally-calculated control commands intended for its own actuator.These externally calculated control commands are, together with thelocally, i.e. internally calculated control command calculated in theservo node itself, passed through a voter, e.g. a Mid-Level Voter,whereupon one of the control commands is selected as the actuatorcommand and consequently used to control the actuator. This processprevents most single failures from affecting the control surface. Theselected, transmitted control command and the control command calculatedlocally in the servo node are monitored in a monitoring unit and must,as long as no transient errors occur, be identical. If they are not,certain types of errors can be identified and rectified, e.g. viaso-called double execution, i.e. in that each servo node contains anumber of sets of control laws, whereby each such set produces its owncontrol command via the servo computer. Each set of control laws usesits own set of parameters to execute the control commands. Theexecutions of the various sets of control laws are separated in time,and occur in such a way that a transient error in, e.g. the input datawill only affect the execution of one set of control laws. Whichever ofthe control laws produces an output signal that agrees with the commandsent to the actuator can then be considered to be correct since,according to the foregoing rationale, the actuator cannot be affected bymost single failures. The value of the state variables from the set ofcontrol laws that is considered to be correct is then copied to thecontrol law/laws that calculated an incorrect control command, whereuponthere are more correct sets of control laws to proceed with at the nextinstance of execution. Another alternative means of rectifying transienterrors is to have just one set of control laws in each servo node but,in the event of an error, to copy the value of the state variables froman error-free servo node to the faulty servo node via the data bus.

The servo node also internally monitors its own function with the helpof, e.g. a so-called “Watch Dog Monitor” or WDM, in a known manner. Thefunction of the actuator is monitored by means of, e.g. a model monitor.If a fault is detected by the internal monitoring or at the actuator bythe model monitor, the actuator will be commanded to assume itsfail-safe mode in that a pulse will no longer be sent to the actuator.If a serious fault occurs in the servo node computer or electronics, thenode will be unable to deliver any pulse, whereupon the actuator willagain be switched to its fail-safe mode.

The advantages achieved using a control system according to theinvention consist in that:

-   -   higher damage tolerance is achieved, since there is no central        and thus critical unit;    -   maintenance costs will be lower, in that a complex central unit        is replaced by multiple simpler and mutually interchangeable        devices;    -   troubleshooting, fault-localization and integration of the        control system units are simplified, since the servo nodes have        only digital interfaces with the rest of the system.

FIGURE DESCRIPTION

FIG. 1 shows a servo node in a control system according to theinvention, and its connection to the control system data bus. The figureis merely a functional depiction, and does not give a physicaldescription of the servo node.

FIG. 2 provides an overview of the structure of a control system withdistributed computers according to the invention, i.e. one computerfunction for each actuator.

FIG. 3 illustrates a control system according to the prior art withthree primary control computers arranged centrally, and wherein thecomputers are arranged in parallel for redundancy.

DESCRIPTION OF EMBODIMENTS

A number of embodiments of the invention are described below withreference to the accompanying figures.

FIG. 2 provides an overview of a number of actuators A distributedthroughout an aircraft. The actuators A have the purpose of executing acontrol maneuver, such as actuating a valve or controlling an engine, anelectrical machine, a relay, a rudder surface or some othercorresponding actuatable device. The actuators A are controlled by meansof computers C, which are deployed in servo nodes (S). Each computer Ccontains stored control laws for calculating control commands for theactuator A in the servo node node (S) to which said computer belongs,and for at least one additional actuator A in another servo node (S).The control of the actuator A is determined by parameters that areobtained via sensors G in the system. The sensors G can consist ofmiscellaneous data transmitters such as speed indicators, temperaturegages, pressure gages, steering controls, etc. The aforesaid sensorparameters are digitally transmitted as data via a data bus B, wherebyall the servo nodes (S) in the system have access to exactly the samesensor data. The computer C in each servo node (S) can thus calculate,based on received sensor data, a control command for the actuator A inits own servo node and for at least one actuator A in another servo node(S), based on control laws programmed into the computer C.

A servo node in the control system is described separately in FIG. 1,where the servo node contains a computer C that is connected to theactuator A. All sensor data (2) are sent to the computer C via the databus B. These data are used by the control laws F to calculate at leasttwo local control commands (4) according to the double-executionprinciple, or just one control command (4) in the event thatdouble-execution is no longer intended to be used. One control command(1) is calculated for at least one additional actuator in another servonode (S). The control command/commands (4) calculated locally by theservo node for itself is/are voted on together with a number ofnon-locally calculated control commands (3) for its actuator A in avoter H, e.g. a “Mid-Level-Voter”. The resulting control command (7) isused to control the actuator A. The selected actuator command (7) andthe local control command/commands (4) are monitored by a monitoringfunction I. If the locally calculated control command/commands (4) donot agree perfectly with the actuator command (7), one of the followingactions is carried out:

-   -   If double-execution is used: determine which of the local        control commands (4) is correct. The state variables for the set        of control laws for the correct control command are copied to        the sets of control laws that calculated an incorrect control        command.    -   If double-execution is not used: the state variables are copied        from a correctly functioning servo node (S) to the        malfunctioning servo node (S) via the data bus.

In either case, the correct local control command/commands (4) is/areobtained at the next point of execution, assuming that no transientfaults occur. If, for any reason, it is not possible to cope with thetransient fault, the non-locally calculated control commands (3) may, asa first option, be used to control the actuator A. If this is notpossible either, the actuator A will be put into its fail-safe mode inthat the pulsed signal will cease. The monitoring function I will thenalso stop sending the pulsed signal (8) if the internal monitoringfunction W in the computer has detected any faults. The internalmonitoring function W is designed in such a way that it has a highprobability of being able to detect if the computer C is not functioningin the intended way; such monitoring can be realized by using a“Watch-Dog-Monitor” in a known manner. The monitoring function I alsostops sending the pulsed signal (8) if the actuator monitoring functionJ detects that the actuator is not behaving in the expected way; this anbe realized via a so-called “model monitor” in a known manner, based onthe actuator commands and certain parameters from the actuator (9).

Other servo nodes (S) in the control system function in the mannerdescribed above. The signals that are mediated to the respective servocomputers are digital. The various servo nodes (S) work in synchrony.

1. A control system for actuators in an aircraft, whereby controlcommands for the actuators are calculated by computers distributed inthe aircraft and where each computer is arranged to receive sensorparameters via a data bus and to calculate control commands for a firstactuator and for at least one additional actuator in dependence onreceived sensor parameters, wherein: each computer is connected to andcontrols only one actuator and, together with the actuator, forms aservo node with a digital interface to the data bus, the computer ineach servo node is arranged to receive, via the data bus, controlcommands for the actuator determined by a computer in at least oneadditional servo node, the computer in the at least one additional servonode connected to and controlling a different actuator than the actuatorin the servo node and not connected to the actuator in the servo node,the computer in each servo node is arranged to select an executivecontrol command for the actuator in the servo node in dependence on acomparison between the control commands calculated locally in the servonode and the control commands received via the data bus, the computer isarranged to control the actuator in the servo node by means of theexecutive control command.
 2. A control system according to claim 1,wherein the computer in the servo node contains programs with controllaws for calculating control commands for the actuator in its own servonode, plus control laws for calculating control commands for actuatorsin at least one other servo node.
 3. A control system according to claim2, wherein each servo node contains a voting function for calculating anexecutive control command for the actuator based on both the controlcommands calculated locally in the servo node itself and on controlcommands calculated in at least one other servo node.
 4. A controlsystem according to claim 3, wherein a monitoring function in the servonode receives the executive control command and the locally calculatedcontrol commands and compares these control commands, which must beidentical.
 5. A control system according to claim 4, wherein, as long asno fault is present, the monitoring unit transmits a pulsed controlsignal to the actuator, whereupon the pulsed control signal must bepresent at the actuator in order for a control command to be executable,so that if the pulsed control signal ceases, the actuator will be set toits fail-safe mode.
 6. A control system according to claim 5, whereinthe computer in a servo node contains an internal monitoring functionthat monitors the computer functionality and, in the event of a fault,sends information to the monitoring unit, whereupon the pulsed controlsignal is not transmitted, which causes the actuator to be set to itsfail-safe mode.
 7. A control system according to claim 6, wherein thefunction of the actuator is monitored by a model monitor that detectsany malfunction of the actuator, whereby the monitoring unit obtainsinformation about the fault, whereupon the pulsed signal is terminatedand the actuator is set to its fail-safe mode.
 8. A control systemaccording to claim 1, wherein the computer contains multiple sets ofcontrol laws and compares the control commands calculated in locally inthe servo node via double-execution with the actuator command selectedby voting, whereupon, in the event that the commands are not exactlyidentical, the control commands calculated in at least one other servonode are used to determine which of the locally calculated controlcommands is correct.
 9. A control system according to claim 8, whereinthe values of the state parameters in the control laws that produced thecorrect local control command are copied to the set of control laws thatfailed to produce a correct control command.
 10. A control systemaccording to claim 1, wherein the computer contains a set of controllaws and compares the control command calculated locally in the servonode with the actuator command selected by voting, whereupon, in theevent that the commands are not exactly identical, the value of thestate parameters of the control laws in a fault-free servo node iscopied to the state parameters in the control laws in the faulty servonode.
 11. A control system according to claim 1, wherein the controlsystem signals are exclusively digital in nature, and in that thesignals in the system are mediated via a data bus.
 12. A control systemaccording to claim 11, wherein the data bus is a logical “broadcast” busor a star-configured bus.
 13. A control system according to claim 1,wherein the servo nodes in the control system work in synchrony.
 14. Acontrol system according to claim 2, wherein the control system is usedin an airplane, in that the sensors contain gyros for detecting rollrate as well as speed indicators, and in that the actuators are used tooperate control surfaces.
 15. A control system comprising: a pluralityof servo nodes, each servo node comprising: one actuator in the servonode; and a computer arranged at the actuator in the servo node,operatively coupled only to the actuator in the servo node and operableto receive sensor parameters over a data bus, to calculate a controlcommand for the actuator in the servo node, to calculate a controlcommand for an actuator in another of the plurality of servo nodes, toreceive a control command for the actuator in the servo node, to selecta control command based on a comparison of the control commandcalculated by the servo node for the actuator in the servo node and thereceived control command, and to control the actuator using the selectedcontrol command.
 16. The control system of claim 15, wherein thecomputer in each servo node is operable to calculate the control commandfor the actuator in the servo node based on control laws and tocalculate the control command for an actuator in another of theplurality of servo nodes based on control laws.
 17. The control systemof claim 16, wherein the computer in each servo node is operable toselect the control command based on a voting function.
 18. The controlsystem of claim 17, wherein the computer in each servo node is furtheroperable to compare the selected control command with the calculatedcontrol command for the actuator in the servo node and to determine thatthere is a fault if the selected control command is not identical to thecalculated control command for the actuator in the servo node.
 19. Thecontrol system of claim 18, wherein the computer in each servo node isoperable to transmit a pulsed control signal to the actuator and theactuator is operable to execute a control command if the pulsed controlsignal is present and to set to a fail-safe mode if the pulsed controlsignal is not present.